Forgot your password?
typodupeerror
Windows Microsoft Security

Microsoft Patches a Record 570 Security Flaws (krebsonsecurity.com) 76

An anonymous reader quotes a report from Krebs on Security: Microsoft today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs quashed in July's Patch Tuesday earned a "critical" severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.

Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 - an Active Directory Federation Services bug -- and CVE-2026-56164, a Microsoft Sharepoint vulnerability. CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.

In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice "a higher volume of security updates included in each security release" as a result of AI aiding in the discovery of vulnerabilities. "The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis," Davuluri wrote.

Microsoft Patches a Record 570 Security Flaws

Comments Filter:
  • by Futurepower(R) ( 558542 ) on Wednesday July 15, 2026 @11:11AM (#66239756) Homepage
    The big underlying issue is why does Microsoft deliver software with so many flaws?
    • by AmiMoJo ( 196126 ) on Wednesday July 15, 2026 @11:23AM (#66239774) Homepage Journal

      It doesn't, they just turned AI on it for the first time.

      Linux is going through the same thing, only with less good AI and more slowly.

      • It doesn't, they just turned AI on it for the first time.

        I.e. "It does."

        • It doesn't, they just turned AI on it for the first time.

          I.e. "It does."

          More precisely, "Everyone does".

          Microsoft's code isn't especially shoddy, all large codebases that are getting AI review right now are experiencing the same thing.

          • More precisely, "Everyone does".

            Microsoft's code isn't especially shoddy [...]

            Actually, producing shoddy code is precisely what Microsoft is know for. All they are interested in is locking people into their ecosystem, and producing good code is a disadvantage in that business model. The worse their code is, the more difficult it is for users to step away. User lock-in has always been their goal, and they don't even lie about it. This moat strategy is arguably the most deliberate and consistent part of the company's history.

            For instance, they created the SMB file protocol not from com

            • by tlhIngan ( 30335 ) <slashdot.worf@net> on Wednesday July 15, 2026 @03:23PM (#66240302)

              For instance, they created the SMB file protocol not from computer science first principles, but as a hack. And so everyone who wants to interoperate with it (e.g. Samba) is then locked in a decade long attempt to reproduce every single bug in their own code.

              Incorrect. SMB was created by IBM to share printers and files in the PC-DOS (and likely token ring) days.

              Microsoft adapted it for their Windows networking product in Windows NT as an alternative to the IPX/SPX protocol that Novell had.

              Andrew Tridge then realized his SMB client/server project would work not just for IBM, but for Microsoft networks as well with a few slight adaptations to evolve the protocol (especially since it wasn't running on TCP/IP in the early days).

              Microsoft later adapted it for Windows Vista in SMB 2 and Windows 7 as SMB 3. But SMB 1 still remains a deprecated option because many Linux based NAS devices, in an attempt to skirt the GPLv3, still use an ancient version of Samba that only supports SMB1. (Samba went to GPLv3 about 3 weeks before it released support for SMB2). This is why many routers and cheap NAS boxes still require you to install SMB1 support.

              (NAS providers like QNAP, Synology and vendors like Apple chose not to use the GPlv3 Samba after this, and wrote their own SMB2+ implementation). The need for SMB1 should decrease further because the Linux kernel itself has SMB2+ support inside it.

              At which point we can truly ditch the nightmare that is SMB1, which is kept around less for Windows and more for devices running Linux. (You need SMB1 for Windows XP and lower and those haven't been supported in over a decade)

              The other thing is SMB was for file and print sharing, and Microsoft did the EEE thing with it once IBM was no longer interested in it which Samba had to follow faithfully to be completely compatible.

            • Actually, producing shoddy code is precisely what Microsoft is know for.

              It's really not. 20 years ago, yes, but they've grown up and wised up. I know lots of excellent engineers at Microsoft, and I know they do good work, and they report that their colleagues do, too.

              And note that I'm no MS fanboy. I hated them with a purple passion in the late 80s and early 90s, and swore off Windows entirely in 2001. I did finally break down and buy a Windows laptop a couple of years ago because I bought a CNC milling machine and the good software is Windows only, but that's the only th

          • And, that includes the various flavors of *Nix, also.

        • by AmiMoJo ( 196126 )

          You can't really say it's bad code when nobody else has managed to do any better.

          • by Z00L00K ( 682162 )

            A lot of security flaws are when you look at them the most common mistakes like access outside buffers, use after free and such. In those cases they can result in erratic behavior when you go beyond the bounds of allocated memory.

            The absolutely worst issues aren't coding mistakes but architectural mistakes, but those aren't that common and often kept under wraps or released as "Working as designed - not a flaw" and the users have to perform a workaround or a workaround being released later - like an update

      • The issue comes from: how many of these security flaws aren't anything at all (or are barely worth knowing about), and how many are repeats from the last time they ran "Clod" or whichever one they're using.

        Just gotta be careful that the bug-hunting AI doesn't identify the usability as a security flaw.

      • And how many of these patches are made by "AI", I wonder.

      • I noticed that the update rate in Mint seems quite elevated lately.

        There is a lot of scrambling going on. AI does see, to have a value for slinging endproduct against the wall and targeting where ever something stuck.

      • by gweihir ( 88907 )

        Yep. Low hanging fruit, resulting from AI looking at it from a different angle. Will probably dry up in a few months. Does not mean a lot.

    • MSFT wants to sell you and your enterprise the tools and capacity to bug hunt your own code and allegedly help you "drive costs" out of your operations. I suspect this is more of a "look, we are eating our own dog food!" exercise to drive sales.

      They're trying to slap the copilot moniker on anything they can lay a hand on to further that goal. Someone's gotta pay for all that capex they're pushing into their datacenter infrastructure....might as well be you.

      • This is true, go into Microsoft Defender for Cloud or Microsoft Defender for Endpoint, or Intune, and see how many warnings can be "fixed" if you buy another product or service. Microsoft has turned Windows into a PaaS and DMaaS (Digital Molestation as a Service), but people don't want an OS that is a PaaS and DMaaS we want an OS that stays out of the way, and doesn't digitally molest us.

        I think fixing bugs and real issues is fantastic, so I won't pick on them for solving 600 issues, that's fine, but it'
        • > but it's the PaaS and DMaaS nature of their offerings which is the issue, IMHO.

          They used to rely on shipping buggy crap that would "inspire" users to pay upgrade to get the less bug riddled versions, and thus had created an income stream for years after the initial sale. That particular ship has sailed, and with things being online all the time, they have to fix bugs, not just in the new stuff, but in the existing stuff too. They can't rely on the "pay to upgrade" money tree any more, so they came up w

    • by Zocalo ( 252965 )
      It's bad, but Microsoft has a awfully large number of lines of code to run through Mythos or whatever (whether they need that many is a whole other discussion). A more useful metric on overall code quality would be how many bugs are being found per 10k lines of code compared to their peers (including FLOSS); e.g. if Microsoft ran 10m SLOC through Mythos to get those 570 bugs, and a smaller project ran 1m SLOC and got 57 bugs, then you could reasonably argue that their code quality is about on a par with th
      • On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world. Even if you don't use the improved code yourself, that's hopefully going to have a significant impact on the number and size of all the botnets out there, and that's a net benefit to everyone apart from the bad actors.

        This. Short term pain for long term gain.

      • It's bad, but Microsoft has a awfully large number of lines of code to run through Mythos or whatever

        You mean the famous Microsoft bloat? That's a feature I guess.

        On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world.

        So the last couple years of destroyed functionality, are suddenly going to end, and we'll have the secure OS they've been telling us is the most secure and it'll be puppy dogs and rainbows?

        Meanwhile, the presumably insecure MacOS and Linux don't seem to have this issue. I'll believe it when the other Os' end up gone, and Microsoft is so secure, all the AV providers go out of business.

        • "the presumably insecure MacOS and Linux don't seem to have this issue."

          Excuse me?

          I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.

          Here's the discussion if you're interested:
          https://forums.rockylinux.org/... [rockylinux.org]

          • "the presumably insecure MacOS and Linux don't seem to have this issue."

            Excuse me?

            I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.

            Here's the discussion if you're interested: https://forums.rockylinux.org/... [rockylinux.org]

            Were there 500 security updates a month after there were 200 updates? I have Linux Mint as well as Raspbian, and keep track up updates. Perhaps I didn't count correctly.

            And no where did I say that MacOS and Linux don't have security flaws. There is no perfectly secure OS. If can be written, it can be compromised. But to suggest that Windows is the equal of the other two, well, that needs a whole lot of proof.

            • by jezwel ( 2451108 )

              Were there 500 security updates a month after there were 200 updates? I have Linux Mint as well as Raspbian, and keep track up updates. Perhaps I didn't count correctly.

              And no where did I say that MacOS and Linux don't have security flaws. There is no perfectly secure OS. If can be written, it can be compromised. But to suggest that Windows is the equal of the other two, well, that needs a whole lot of proof.

              Note that the '570 vulnerabilities' were across Windows and other software, I saw mention of AD, Office, Sharepoint, and Copilot in TFA.

              So to compare apples to something like apples, you'll need to look at your authentication system, OS, productivity suite, email server and client, AI, and collaboration platforms including chat, file sharing, and media management.
              I'm no MS fanboi - heck I replaced my Windows based NAS OS with ZimaOS earlier today - but props at least that they're doing something.

              Now if they

              • Note that the '570 vulnerabilities' were across Windows and other software, I saw mention of AD, Office, Sharepoint, and Copilot in TFA.

                So to compare apples to something like apples, you'll need to look at your authentication system, OS, productivity suite, email server and client, AI, and collaboration platforms including chat, file sharing, and media management. I'm no MS fanboi - heck I replaced my Windows based NAS OS with ZimaOS earlier today - but props at least that they're doing something.

                Now if they can address bloat, stop putting Copilot into everything, and fix weird issues where hardware stops working (but runs fine under other OSes) I'd feel a bit better about them as a company.

                The last one, about hardware stopping function is a real killer. I teach some emergency communications classes. Smart people who just need exposure, digging into their computers a bit to have their systems run. Much of the software is on multiple platforms, but most use Windows 11. Back when Windows 7 was in its heyday, it took two class sessions to get everyone running, then we'd delve into the details of the software. Windows 10 wasn't too much of a problem, after some weird audio driver issues were iron

              • Hope the AI they use for scanning for security vulnerabilities (in any OS) doesn't flag "being used", end user, internet connectivity, and outputting to a display all as security vulnerabilities and decide to "fix" them, in effect preventing humans from using computers ever again.

                It'd be even worse if the scanning AI issued fixes as fast as it identified them.

    • by Hadlock ( 143607 )

      Given your user ID # I think you know the reason(s)

    • We can bust on Microsoft all day and all night, and they deserve it, but the fact that their ability to find and fix these problems has greatly increased is a good thing. Software is incredibly complex, and no software more complicated than "10 GOTO 10" is free from the potential of security problems. Microsoft's QA has gone downhill in recent years, but now it's getting better apparently (even if it's after the fact). They are not going away, so this makes all our lives better.

    • by Himmy32 ( 650060 )

      As much fun as it is to hate on Microsoft, when all everything is lumped into one monolithic pot it's of course going to look worse. Firefox, LibreOffice, dm-crypt, or OpenSSH bugs aren't counted together in one big "Linux" pot. One recent Firefox update had 271 security fixes in one cycle [zdnet.com].

      Microsoft's list of 570 includes Office, SharePoint, Active Directory, BitLocker, and Edge, which is a wide range of products.

    • by Jeremi ( 14640 )

      Part of it may be a dysfunctional corporate culture, but a lot of it is a consequence of Microsoft's business decision to maintain backwards compatibility at all costs. When you're committed to retaining every design mistake, forever, the complexity of the codebase just keeps rising, which means that less and less of it can fit into anyone's mind at one time, which means more mistakes are made going forward, and the technical debt just keeps compounding.

      • Part of it may be a dysfunctional corporate culture, but a lot of it is a consequence of Microsoft's business decision to maintain backwards compatibility at all costs. When you're committed to retaining every design mistake, forever, the complexity of the codebase just keeps rising, which means that less and less of it can fit into anyone's mind at one time, which means more mistakes are made going forward, and the technical debt just keeps compounding.

        The whole effort of design of software systems is ultimately the effective management of complexity. Complexity of features that provide real world value is the developers problem to manage. If "technical debt just keeps compounding" it is probably best to find a better developer.

        • by Jeremi ( 14640 )

          The whole effort of design of software systems is ultimately the effective management of complexity. Complexity of features that provide real world value is the developers problem to manage. If "technical debt just keeps compounding" it is probably best to find a better developer.

          I love scapegoating individual developers as much as the next guy, but if you take a look at the Win32 API, you'll find loads of fun "features" such as:

          - Every single function that takes a string has two implementations: one that ends with the letter A (and takes its strings as ASCII) and one that ends with the letter W (and takes its strings as UCS-16). And then it has a preprocessor-define (with no suffix) that gets expanded to either one implementation or the other, based on your compiler settings.

          - wi

    • by Junta ( 36770 )

      While I'm all about the Microsoft hate, in this scenario, it's not exactly unique, nor does a count tell the whole story.

      Famously the kernel had a handful of high profile security issues discovered, so Microsoft has company. If you are floored by the number of security 'flaws', well, many projects are dealing with those and while higher than usual (largely due to AI findings), a lot of 'security' findings have long been dubious and the AI findings are no exception.

      For example, a parser for a comprehensive

    • As a long-time Linux user, I have two questions. First, why does Microsoft insist on holding on to all of these bug patches and security fixes so that they can be released all together on Patch Tuesday instead of being made available right away as Linux does? Second, why do so many people insist on paying money for such a flawed system and putting up with such a slow update pace?
      • As a long-time Linux user, I have two questions. First, why does Microsoft insist on holding on to all of these bug patches and security fixes so that they can be released all together on Patch Tuesday instead of being made available right away as Linux does? Second, why do so many people insist on paying money for such a flawed system and putting up with such a slow update pace?

        I reboot my Windows box once a month. If I reboot my Linux boxes every time they get a kernel patch it makes for lots of rebooting. I have a Rocky 8 box that is on extended maintenance and it still gets kernel patches almost weekly. It used to be the other way around. The days of long uptimes are long gone.

        • I'm retired, and it's long been my habit to update my Fedora box every morning while making breakfast. I agree with you that the kernel's getting updated far more often than it used to be. Recently, it was updated at least three times in one week (maybe four, I'm not sure) which seems excessive. I think that was while they were getting rid of the insecure forms of string manipulation, but I wasn't involved in that and could be wrong.
        • Exactly... if the patch for vulnerability X29B2 was released the moment it was finished, followed by X30B3 2 minutes later, nobody would ever get anything done. There's a 60/40 chance that for each of those individual vulnerability patches would need a reboot, and maybe a 30% chance that no other patch can install due to the pending reboot.

          And, having that happen while you're doing something in Office (where the update installs, closes and then reopens the program) would be a massive pain if everyone in th

    • No one answered your sincere question, so I will. At least search shows no mention of "liability" and that's the key.

      Actually the real question is "Given their completely lack of legal liability even for the most egregious flaws in their software, why did Microsoft bother to patch so many of them?"

      Going for Funny:

      Microsoft was feeling too humane to fire all the unneeded humans. Now the humans sit around testing the AI software, including the patches for all those bugs created in the past...

    • The big underlying issue is why does Microsoft deliver software with so many flaws?

      Because people kept buying their software.

    • by gweihir ( 88907 )

      They seem to be proud of how crappy their stuff is ...

    • > The big underlying issue is why does Microsoft deliver software with so many flaws?

      Windows was designed to make it difficult to clone. Integrating the API directly into the operating system core. In the process making it totally unstable and impossible to debug. Making cross-platform JAVA Windows only and so on.
  • by schwit1 ( 797399 ) on Wednesday July 15, 2026 @11:18AM (#66239766)

    https://msrc.microsoft.com/upd... [microsoft.com]

    "If people want a severity hook, July has 26 vulnerabilities with a CVSS base score above 9.0, and 13 of those sit at 9.8," said Josh Taylor, lead cybersecurity analyst at Fortra

  • I can easily see a day where every bit of software is subjected to an AI check before it is released.

    There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.

    There will always be vulnerabilities but they might only be visible to government spies.

    • Or you just hack into the Tessier-Ashpool mainframe if you can't afford to rent time on Wintermute

    • I can easily see a day where every bit of software is subjected to an AI check before it is released.

      There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.

      There will always be vulnerabilities but they might only be visible to government spies.

      The AI reviews (of current code, and new code) was stated as an foreseeable outcome at the recent RSAC conference by a few presenters (this was before Mythos was publicly announced, but the direction of the capability of the models was obvious).

      And those same presenters stated the next few years were going to be most interesting, as the models will be finding (new, or different) bugs faster then the software will get fixed. In the long run, as you suggest, those speakers believed that the easy exploits

    • All of the software we write now goes through agent code reviews, multiple agent security checks, agent quality checks. I count no fewer than 8 gates that are scanning for vulnerabilities using some kind of language model. Most of the code we're writing is written by an agent, so the need for 8 levels of agent gates is obvious. We have skills that use agents to address PR review comments made by ... other agents. So the whole cycle is automated, and every token burned is money in Anthropic's wallet. Instead

    • by gweihir ( 88907 )

      Probably will not help much as AI is quite limited in what it finds. And attackers can randomize it and bypass that "protection level" anyways.

    • The only way to make a computer hacker-proof is to unplug all the wires.
      As long as humans use them, computers are hackable.

  • by Z80a ( 971949 ) on Wednesday July 15, 2026 @12:29PM (#66239894)

    To find a security flaw, you only need to be right once.
    So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives.
    Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives.
    It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.

    • To find a security flaw, you only need to be right once. So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives. Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives. It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.

      Does it even matter any more? It is the Microsoft way, and their "patches" tend to just turn needed things off. Meanwhile the faithful can continue the claims that Microsoft is every bit as secure as any other OS out there.

      • by Z80a ( 971949 )

        At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.

        • At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.

          A decent point. It seems however, that Windows will soon be running Office 365, and not much else.

  • Anyone want to claim that MacOS and Linux are security through obscurity?

    The problem with Microsoft's "security" updates that they turn off features that many programs need. The ain't security, that's just a march toward the only programs workingare the ones Microsoft sells you. And they aren't secure either.

  • The summary says: "Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. "

    (scratches head) How can a flaw be called zero-day and already be exploited in the wild?
  • "The pace of vulnerability discovery is changing with advances in AI" Sadly, this also holds true for the attackers.
  • Remains to be seen if the pace of QA can keep up. 8 Ball says - Signs Say No

  • Microsoft creates 1140 security flaws

  • How many security flaws remain?
    • How many more have been introduced via the patches...
    • by gweihir ( 88907 )

      If AI finds this many? A LOT...

      But yes, that is the actual question that matters.

      • If AI finds this many? A LOT...

        But yes, that is the actual question that matters.

        I work for a Glasswing company and it was turned loose on my application. We lost 2 weeks patching bullshit non-issues. One that was vivid? My arg-less scheduled task endpoint was a GET instead of a POST. That's stupid and pedantic and makes it harder for QA to test, but fine...I can accept that. Some asshole long ago arbitrarily said only POST can have side effects because HTTP has no "DO" method...it's breaking convention, but not a bug, nor a security flaw.

        A bunch were absolutely wrong. One was co

        • by gweihir ( 88907 )

          Yes. And by wasting time like this, it is making us actually less secure. The case where you know somewhere is a vulnerability, but you have it carefully firewalled in the code and documented that, is a prime example. That is _not_ something that needs to be fixed. That may be something that should not be fixed. But LLMs have no understanding of things, they just do some fancy pattern matching.

          My own key observation was those "273 potential zero-days in FF" from Mythic. Turns out, the patch notes listed 3 b

  • wonder how they can patch so widely without breaking lots of applications. Of course, it is needed and hopefully after a few months of every vendor patching, we'll be in a safer world.

The possession of a book becomes a substitute for reading it. -- Anthony Burgess

Working...